Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Julian Reschke wrote:

And includes the ability for the user to logoff / the server reset the
login?

Is that a protocol problem or a user agent problem?

-- > <http://lists.w3.org/Archives/Public/www-archive/2012Jan/0023.html>


Possibly both.

First, its a non-issue with cookie based authentication methods (server side fancy login forms) but it is by using a cookie condition can you emulate a "Logoff" concept with HTTP BASIC/DIGEST AUTH due to the browser current persistent nature to continue reissing BASIC/DIGEST authenticated credentials until a 403 is issued.

The cookie i.e. "SESSION-OVER" is required to trap/trigger/recognized when a 403 condition should be used upon subsequent requests. That will cause the Browser to forget (either full or partially the current credentials). Depending on the browser, it could mean a lost of reusing them without typing them until the browser is completely closed.

But without a cookie, there is no logoff button concept with HTTP AUTH. So the question is does HTTP AUTH requires cookies to work. Since it does not, if a clearing of the credentials perhaps with a new 40x or redefinition of the existing 40x, is desired, it also has to be based on not requiring a cookie.

In regards to the generic problem statement Barry stated, sounds to me that this calls for a persistent IP session level management concept. A related question is to decide who is going to be asking for the initial credentials, the browser or a server-side login form concept?

--
Hector Santos, CTO
http://www.santronics.com



_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]